The official docs only go as far to say put system above root and rename admin.php to something obscure - which is not security so much as it is inconveniencing bots that would otherwise simply try to hit domain.com/admin.php repeatedly, for example. I commonly hear (today on Twitter being an example) questions about what else one can do to secure expressionengine. Not being terribly knowledgable in this area myself, and so for my benefit and others, are there some #eecms security gurus out there that could share some of the essentials that everyone should consider doing?
What are the some best ways to secure expressionengine?
Asked Answered
This question isn't really a good fit for the Q&A format, because it will lead to extended discussion (it's not a specific problem - see the FAQ). Just a heads up that it might get closed if a mod sees it. –
Burney
You should also checkout Eric Lamb's Securitee ( http://devot-ee.com/add-ons/securitee ) add-on as a good next step in securing EE. It does a plethora of security checks to make sure that your system is as secure as possible through out the life of your site as security is not something that is set and forgot. From my experience harm doesn't usually come from hackers/bots but from people with to much access to the system. This also includes members that are granted temporary access but their access is never revoked, I know that in systems that I am added after development has been completed there are usually 2-3 super admins created for add-on developers to sort out a problem during development. While I am not saying that the add-on developers are going to wreck havoc on your site it is just another possible security hole that needs to be addressed.
Mark's booklet is a great read as is Eric Lamb's blog post about Securitee http://mithra62.com/blog/view/why-you-should-care-about-securitee
Mark Huot has written a small booklet on securing expressionengine, you can get it here http://mijingo.com/products/ebooklets/securing-expressionengine-2/
Recommended read.
I wasn't that impressed with Mark's booklet. It just seemed like he was re-iterating what the docs already cover. Still, the recommended settings are helpful, and for 10 bucks, there's no reason not to pick it up. –
Organography
The base install is quite secure. Renaming the system folder and/or admin.php takes away the first nail they could be hammering. Special attention should be given to add-ons that might have some security holes.
Limit access to the control panel for head-editors only and tighten down access to only parts they should have access to. If the generic users need to post articles, that can be done with the safecracker add-on, but in its current state could really do with a security checkup.
If you have a lynda.com account, check out "Wordpress 3: Developing Secure Sites". I know, I know, WTF Wordpress?!, right? But the topics he covers are relevant to any DB-based CMS and he covers a really wide range of recommendations. Just swap "plugins" with "add-ons" and it's all pretty familiar territory.
Cool. I'll take a look at that and try not to gag while reading the WP info. :) Thanks! –
Gadfly
© 2022 - 2024 — McMap. All rights reserved.